[Graham] > Thus, is an embedded newline in value invalid? Would it be reasonable > for a WSGI adapter to flag it as an error?
>From a security POV, it may be advisable for WSGI servers to *not* allow newlines in HTTP response headers; newlines in response headers may be the result of an application's failure to sanitise its inputs. http://en.wikipedia.org/wiki/HTTP_response_splitting Regards, Alan. _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
